IBM AIX 7 for POWER V7.1 Technology level with optional IBM Virtual I/O Server V2.2 Security Target with BSI OSPP Compliance.

(1)

V2.2 Security Target with BSI OSPP Compliance

1.8 Version:

Release

Status:

2012-08-15

Last Update:

(2)

Trademarks

IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

Legal Notice

This document is provided AS IS with no express or implied warranties. Use the information in this document at your own risk.

This document may be reproduced or distributed in any form without prior permission provided the copyright notice is retained on all copies. Modified versions of this document may be freely distributed provided that they are clearly identified as such, and this copyright is included intact.

Revision History

Changes to Previous Revision Author(s)

Date Revision

Updated from AIX 6.1 to AIX 7.1 and switched to BSI OSPP. Scott Chapman,

Andreas Siegert 2012-08-15

(3)

List of Tables

Table 1: BAS mode vs. LAS mode for TOE ... 16

Table 2: BAS mode vs. LAS mode for Operational Environment ... 16

Table 3: List of LPPs / File sets ... 23

Table 4: PRPQ table ... 24

Table 5: SFR name modifications to [OSPP] ... 28

Table 6: Mapping of security objectives to threats and policies ... 42

Table 7: Mapping of security objectives for the Operational Environment to assumptions, threats and policies ... 44

Table 8: Sufficiency of objectives countering threats ... 45

Table 9: Sufficiency of objectives holding assumptions ... 51

Table 10: Sufficiency of objectives enforcing Organizational Security Policies ... 54

Table 11: Security functional requirements for the TOE ... 59

Table 12: MIC subjects, objects, and operations ... 107

Table 13: MCIFC subjects, objects, and operations ... 108

Table 14: Mapping of security functional requirements to security objectives ... 123

Table 15: Security objectives for the TOE rationale ... 130

Table 16: TOE SFR dependency analysis ... 137

Table 17: Security assurance requirements ... 149

Table 18: auditselect event field values ... 168

Table 19: MAC objects and operations ... 192

Table 20: Audit control files ... 202

Table 21: AIX password parameters ... 206

Table 22: System security flags (SSFs) (BAS mode only) ... 209

Table 23: System security flags (SSFs) (LAS mode only) ... 209

Table 24: Administrative databases ... 212

Table 25: Kernel databases ... 214

Table 26: File security flags (FSFs) ... 215

(12)

List of Figures

(13)

1 Introduction

1.1 Security Target Identification

IBM AIX 7 for POWER V7.1 Technology level 7100-00-03 with optional IBM Virtual I/O Server V2.2 Security Target with BSI OSPP Compliance

Title: 1.8 Version: Release Status: 2012-08-15 Date: IBM Corporation Sponsor: IBM Corporation Developer: BSI-DSZ-CC-0711 Certification ID:

AIX, AIX 7.1, general-purpose operating system, POSIX, UNIX, access control, discretionary access control, information protection, labels, labled security, mandatory access control, MLS, security, Trusted AIX, trusted operating system, LPAR, VIOS, OSPP

Keywords:

1.2 TOE Identification

The TOE is IBM AIX 7 for POWER V7.1 with optional VIOS V2.2.

1.3 TOE Type

The TOE type is an operating system and a virtualization layer.

1.4 TOE Overview

The TOE consists of two major parts: AIX and VIOS. AIX is a highly-configurable UNIX-based operating system that meets the requirements of the BSI Operating System Protection Profile [OSPP] along with several of the [OSPP] Extended Packages.

The AIX portion of the TOE can be installed in two different modes: “BAS mode” or “LAS mode”. In BAS mode (Basic AIX Security mode), AIX offers the capabilities of [OSPP] and all of the [OSPP] Extended Packages defined in section 2 except for the Labeled Security Extended Package of [OSPP-LS]. In LAS mode (Labeled AIX Security mode, a.k.a. Trusted AIX), AIX adds the capabilities of labeled security conforming to the [OSPP-LS] Extended Package. The mode of operation (i.e., BAS mode or LAS mode) is decided at installation time.

Additionally, the IBM Virtual I/O Server (VIOS) is included in the evaluated configuration as an optional component. VIOS exists as a layer between the hardware and operating systems for virtualizing the hardware. VIOS provides logical partitions (LPARs) for running multiple operating systems on the same hardware where each instance of an operating system runs in its own LPAR. VIOS does not claim conformance to any protection profile. VIOS is treated as a separate component of the TOE with separate security problem definitions, objectives, and security functional requirements independent of those for AIX and Trusted AIX.

(14)

1.4.1 Required and optional non-TOE software/hardware/firmware

1.4.1.1 Software

There is no required non-TOE software. The following is a list of optional non-TOE software:

● _{IBM Network Authentication Service (NAS - a.k.a. Kerberos Version 5)} ● _{IBM Tivoli Directory Server (TDS - a.k.a. LDAP)}

1.4.1.2 Hardware/Firmware

The following is a list of required non-TOE hardware. The firmware (BootProm) is included with the hardware.

● _{IBM System p POWER6}

● _{IBM System p POWER7}

1.4.2 Intended method of use

AIX is a UNIX-based, multi-user, multi-tasking operating system. After successful login, users have access to a general computing environment, allowing the start-up of user applications, issuing user commands at shell level, and creating and accessing files. AIX provides adequate mechanisms to separate the users and protect their data. Privileged commands are restricted to the system administrator roles.

AIX permits one or more processors and attached peripheral and storage devices to be used by multiple users to perform a variety of functions requiring controlled shared access to the data stored on the system. Such installations are typical of personal, workgroup, or enterprise computing systems accessed by users local to, or with otherwise protected access to, the computer systems. AIX provides facilities for on-line interaction with users. Networking is covered only to the extent to which the AIX can be considered to be part of a centrally-managed system that meets a common set of security requirements.

Optionally, VIOS can be used as a layer between AIX and the hardware to support multiple LPARs running multiple operating systems.

1.4.3 Major security features

The major AIX security features (in BAS mode) are:

● _{Identification & authentication - Provides identification and authentication of users.} ● _{Auditing - Provides audit logs for logging security relevant events.}

● _{Discretionary access control (DAC) - Allows object owners to control access to their}

objects through features like access control lists (ACLs) and the Encrypted File System (EFS).

● _{Object reuse - Provides methods to prevent data contained in deleted objects from being}

accessed.

● _{Security management - Provides for management of AIX security features.}

● _{TSF protection - Provides methods to prevent the modification of TOE Security Functionality.} ● _{Privileges, authorizations, roles, and superuser emulation - Provides mechanisms}

that partition and limit the amount of power a user and executables have. Superuser emulation (BAS mode only) supports the older UNIX-style of a single superuser.

(15)

● _{TCB protection - Provides additional protection to objects mark as part of the Trusted}

Computing Base (TCB).

● _{Trusted Execution - Provides integrity checking of specified resources at access time.} ● _{Protected remote access - Provides IPsec protected connections for remote access.} ● _{IP filtering - Provides IP filtering for data packets flowing through AIX.}

● _{Workload Partitions (WPARs) - Provides virtual AIX environments within AIX.}

● _{Cryptographic Framework - Provides a common kernel interface for hardware/software}

cryptographic functions.

In addition, the following AIX security features are available in LAS mode:

● _{Mandatory access control (MAC) - Provides access control to data based on security}

level and category labels (a.k.a. labeled security).

● _{Mandatory integrity control (MIC) - Provides access control to data based on data}

integrity labels.

● _{Trusted Network (TN) - Provides labeled security of network data.}

The major VIOS security features are:

● _{Identification & authentication - Provides identification and authentication of users.} ● _{Discretionary access control - Provides access control between SCSI device drivers and}

logical/physical volumes and between Ethernet adapter device drivers and Ethernet device drivers.

● _{Role-based access control - Provides multiple administrative roles for controlled}

management.

● _{Security management - Provides for management of VIOS security features.}

1.5 TOE Description

The target of evaluation (TOE) is the AIX Version 7.1 operating system and the optional IBM Virtual I/O Server (VIOS) Version 2.2.

AIX is a general purpose, multi-user, multi-tasking operating system. It is compliant with all major international standards for UNIX systems, such as the POSIX standards, X/Open XPG 4, Spec 1170, and [FIPS180-3]. It provides a platform for a variety of applications in the governmental and commercial environment. AIX is available on a broad range of computer systems from IBM, ranging from departmental servers to multi-processor enterprise servers, and is capable of running in an LPAR (Logical Partitioning) environment.

Several servers running AIX 7.1 (any combination of BAS mode systems and LAS mode systems can be used) can be connected to form a distributed system, but not all components of such a system are components of the TOE. The communication aspects within AIX 7.1 used for this connection are also part of the evaluation. It is assumed that the communication links themselves are protected against interception and manipulation by measures which are outside the scope of this evaluation.

In LAS mode, the TOE enforces MAC, MIC, DAC, and TCB control policies to implement security goals, such as confidentiality, integrity, and accountability. LAS mode can operate in a network or stand-alone configuration. In a network configuration, LAS mode supports BSO/ESO/CIPSO/RIPSO and provides network filtering on incoming and outgoing packets, based on network interface and host filtering rules.

(16)

The AIX evaluation shall consist of a closed network of high-end, mid-range and low-end IBM System p POWER6 and POWER7 servers running the TOE. In addition, each server may optionally run VIOS. VIOS exists as a layer between the hardware and operating systems for virtualizing the hardware. VIOS provides logical partitions (LPARs) for running multiple operating systems on the same hardware where each instance of an operating system runs in its own LPAR.

The TOE Security Functionality (TSF) consists of those parts of AIX that run in kernel mode plus some trusted processes. These are the functions that enforce the security policy as defined in this Security Target. Tools and commands executed in user mode that are used by the system administrator need also to be trusted to manage the system in a secure way but, as with other operating system evaluations, they are not considered to be part of this TSF. The TSF also consists of the parts that comprise the optional VIOS.

Table 1 and Table 2 provide a guide for what is supported in BAS mode and what is supported in LAS mode. An ‘X' means that the mode supports the description.

TOE Description LAS

Mode BAS

Mode

The TOE includes installation from CD-ROM and the network. X

X

The TOE includes the Virtual Input/Output Server (VIOS) which allows for the virtualization of SCSI drives and network adapters.

X X

System administration tools include the smitty non-graphical system management tool. The WebSM administrative tool is excluded.

X X

The TOE includes standard networking applications, such as ftp, rlogin, rsh, and NFS. Port filtering will be used to protect network applications which might otherwise have security exposures.

X

The TOE includes the following networking applications: telnet and ftp. It also includes NFS as a single level file system.

X

The TOE includes the X-Window graphical interface and many X-Window applications. X

The TOE supports BSO/ESO/CIPSO/RIPSO for IPv4 with an AIX specific implementation for IPv6 and provides network filtering on incoming and outgoing packets, based on network interface and host filtering rules.

X

Table 1: BAS mode vs. LAS mode for TOE

Operational Environment Description LAS

Mode BAS

Mode

The Operational Environment includes the hardware and the BootProm firmware. X

X

The Operational Environment includes applications that are not evaluated, but are used as unprivileged tools to access public system services, for example the Mozilla web browser or the Adobe Acrobat Reader to access the supplied online documentation (which is provided in HTML and PDF formats). No HTTP server is included in the evaluated configuration.

X X

The Operational Environment includes LDAP for maintaining TOE authentication data. X

(17)

Operational Environment Description LAS

Mode BAS

Mode

The Operational Environment includes Kerberos for aiding in establishing a trusted channel between NFSv4 clients and servers.

X X

Table 2: BAS mode vs. LAS mode for Operational Environment

1.5.1 Summary of security features

The following sections present a summary of the security features that the TOE offers. These security features are supported by domain separation and reference mediation, which ensure that the features are always invoked and cannot be bypassed.

1.5.1.1 AIX

1.5.1.1.1 Identification and authentication

AIX provides identification and authentication (I&A) based upon user passwords. The quality of the passwords used can be enforced through configuration options controlled by AIX. The evaluated configurations for I&A are:

● _{The file-based authentication method (the default configuration for authentication), which}

uses passwords to authenticate users.

● _{The LDAP authentication method configured for UNIX-type authentication, which uses}

passwords to authenticate users. (In the UNIX-type configuration, LDAP only stores the data used for I&A. It does not perform I&A for AIX.)

● _{The NAS (Kerberos Version 5) authentication method, but limited to NFSv4 client-server}

authentication for establishing trusted channel communications between the NFSv4 client and server.

Other authentication methods (e. g. Kerberos authentication as a general AIX authentication) that are supported by AIX in general are not part of the evaluated configuration. Especially pluggable authentication modules that, for example would allow the use a token based authentication process, are not part of the evaluated configuration.

All individual users are assigned a unique user identifier. This user identifier supports individual accountability. The TOE authenticates the claimed identity of the user before allowing the user to perform any further actions.

IBM Tivoli Directory Server (TDS) 6.1 and 6.2 are used for the LDAP service. The TDS client interface used by AIX uses the IBM Global Services Kit (GSKit) for providing SSL services. The client interface, including GSKit, is part of the Operational Environment.

1.5.1.1.2 Auditing

AIX can collect extensive auditing information about security related actions taken or attempted by users, ensuring that users are accountable for their actions.

For each event record, the audit event logger prefixes an audit header to the event-specific information. This header identifies the user and process for which this event is being audited, as well as the time of the event. The code that detects the event supplies the event type and return

(18)

code or status and optionally, additional event-specific information (the event tail). Event-specific information consists of object names (for example, files refused access or tty used in failed login attempts), subroutine parameters, and other modified information.

This audit trail can be analyzed to identify attempts to compromise security and determine the extent of the compromise. The audit tools can also extract audit records of events involving objects and/or subjects having specified security attributes.

1.5.1.1.3 Discretionary access control

Discretionary Access Control (DAC) restricts access to objects, such as files and is based on Access Control Lists (ACLs) and the standard UNIX permissions for user, group and others. Access control mechanisms also protect IPC objects from unauthorized access. BAS mode supports ACLs on sockets for TCP connections. LAS mode supports ACLs on network ports and interfaces.

In addition, AIX supports the Encrypted File System (EFS) which allows for the encryption and decryption of files using the Advanced Encryption Standard (AES). File encryption works as a type of access control mechanism. The user must have DAC access and have access to the file's encryption key in order to decrypt the file's content. AIX uses the IBM CryptoLite for C (CLiC) cryptographic module for EFS encryption and decryption.

1.5.1.1.4 Object reuse

All resources are protected from Object Reuse (scavenging) by one of three techniques: explicit initialization, explicit clearing, or storage management. Four general techniques are used to meet this requirement:

● _{Explicit Initialization: The resource's contents are explicitly and completely initialized to}

a known state before the resource is made accessible to a subject after creation.

● _{Explicit Clearing: The resource's contents are explicitly cleared to a known state when}

the resource is returned for re-use.

● _{Storage Management: The storage making up the resource is managed to ensure that}

uninitialized storage is never accessible.

● _{Erase Disk: AIX offers as part of its diagnostic subsystem an Erase Disc service aid that}

can be invoked by the administrator to overwrite all data currently stored in user-accessible blocks of a disk with predefined bit patterns.

1.5.1.1.5 Security management

The management of the security critical parameters of AIX is performed by administrative users. A set of commands that require system administrator privileges are used for system management. Security parameters are stored in specific files that are protected by the access control mechanisms of the TOE against unauthorized access by users that are not administrative users.

In BAS mode and LAS mode, security management can be split between different roles.

1.5.1.1.6 TSF protection

While in operation, the kernel software and data are protected by the hardware memory protection mechanisms. The memory and process management components of the kernel ensure a user process cannot access kernel storage or storage belonging to other processes.

(19)

TSF software and data, files and directories, kernel objects, IPC and networks sockets/packets are protected by TCB, DAC, and process isolation mechanisms. LAS mode provides additional mechanisms of MAC and MIC.

The TOE and the hardware and firmware components are required to be physically protected from unauthorized access. The system kernel mediates all access to the hardware mechanisms themselves, other than program visible CPU instruction functions.

The system administrator has the ability to start a program that checks the hardware for correct operation.

LAS Mode Only: The operational mode of AIX is intended to be the standard operating mode of the machine. The restrictions associated with operational mode cannot be overridden or bypassed by any mechanism. These restrictions are:

● _{the system security flags (SSFs) cannot be modified}

● _{objects with the file security flags (FSFs) FSF_TLIB and FSF_TLIB_PROC set cannot be created,}

modified, or deleted

1.5.1.1.7 Privileges, authorizations, roles, and superuser emulation

The TOE implements a privilege mechanism within the kernel that allows users to implement the

least privilege principle. A privilege is an attribute of a process that allows the process to bypass

specific restrictions and limitations of the system. Privileges are associated only with processes, not user accounts. Privileges are used to override security constraints, to permit expanded use of certain system resources such as memory and disk space, and to adjust the performance and priority of the process. Restricting privileges on a process limits the damage that can result if an operation is improperly performed. Untrusted programs must not have any privileges assigned to them.

This ST describes both a “root enabled mode” and a “root disabled mode” available in BAS mode, but only “root enabled mode” is allowed in the evaluated configuration of BAS mode. All mention of root enabled mode and root disabled mode refer to a BAS mode system only. (In root enabled mode, the ‘root' user has the typical ‘root' authority found in previous versions of AIX. In root disabled mode, the ‘root' user has its authority reduced to the equivalence of an ordinary user.) Only root disabled mode is supported/allowed in LAS mode.

The TOE least privilege mechanism can take the place of the traditional user ID 0 (superuser/root) mechanism of UNIX. In LAS mode, user ID 0 is treated exactly like any other system user ID unless superuser emulation is in effect for the process. In BAS mode with root enabled mode enabled, user ID 0 supports the traditional superuser mechanism.

Privileges can be associated with executable files and assigned to an executing process, similar to the way the setuid bit on a file modifies the executing process's user ID. A process can also be prevented from acquiring privileges via the exec mechanism. Privileges can be used directly within a user-level program that is responsible for mediating or enforcing security by having the program retrieve its privilege set from the kernel and to make decisions based on the presence or absence of specific privileges. A process can temporarily disable one or more of its privileges if the process needs to perform an action on the system without bypassing the system security policy.

The TOE supports the policy of separation of duties, which provides for the compartmentalization of responsibility reducing the potential damage from a corrupt user or administrator, and places limits on the authority of the user or administrator. Authorizations provide a mechanism to grant rights to users to perform particular actions and run particular programs, such as programs that will run with privileges to bypass MAC, MIC, or DAC limitations. Each authorization has a well-defined

(20)

set of functions that can be performed by users who are granted that authorization. There are two types of authorized users: administrative role users and ordinary users. An administrative user is any authorized user that has one or more of the RBAC related authorizations (see the next paragraph for a discussion on RBAC). An ordinary user has no RBAC authorizations.

A role-based access control (RBAC) mechanism is implemented in AIX. Roles are predefined collections of authorizations that can be assigned to users. AIX comes with a set of predefined roles. It also allows system administrators to create new roles for their environment. AIX has two types of RBAC: Legacy RBAC and Enhanced RBAC. The evaluated configuration uses Enhanced RBAC only. All references to RBAC in this document imply Enhanced RBAC unless otherwise specified. In addition to RBAC functions, combined roles or role based approval can be implemented according to the users needs via the "n-man rule" functionality based on the authexec command which will execute other commands only after all required roles have authenticated. Commands needing the n-man rule are listed in the privcmds database and cannot be executed outside of the control of the authexec command.

A program has the ability to query the active authorizations associated with the user running the program, and the program can behave differently and use different privileges based on the authorization set of the user running the program. For the evaluated configuration, administrators (or, administrative users) are defined as all users that have any authorization assigned to them. All user IDs below 205 are considered system IDs; they are typically used for daemons and other trusted applications.

Additionally, AIX provides a Privileged Commands (privcmds) database for granting privileges and setuid/setgid capabilities to trusted executables at runtime when a user has the proper authorizations. When the kernel invokes a program, it checks the database for the existence of the program. If the program exists and the user has the proper authorizations, the discretionary access control on the program is ignored and the program is invoked with the privileges and/or setuid/setgid specified in the privcmds database.

The TOE provides a superuser emulation mechanism that allows the system to operate similar to a standard UNIX system. Superuser emulation can be enabled for specific processes while leaving all other processes running under the standard TOE least privilege and authorization mechanisms. There are several ways in which a process can emulate superuser:

1. A process can be granted all privileges on the system, regardless of its user ID.

2. Using the PV_SU_ROOT privilege, a process can be granted all privileges associated with standard AIX/UNIX superuser regardless of its user ID, such as the privileges to bypass any DAC restrictions and to management the auditing mechanism, but not privileges that are specific to the TOE-provided augmentation of standard AIX/UNIX security functionality, such as the privileges to modify kernel authorization tables, override MAC checks, etc.

3. Alternatively, the PV_SU_EMUL privilege can be set to grant processes all privileges associated with standard AIX/UNIX superuser when their process user ID is 0.

4. A process can be granted all authorizations/roles regardless of its user ID.

5. A process can be granted a “virtual user ID” of 0 so that queries to the kernel for its user ID will return 0 even regardless of the actual user ID associated with the process.

1.5.1.1.8 TCB protection

The TOE provides the concept of a Trusted Computing Base (TCB). Kernel, device drivers, system administration utilities, and other critical software that is used to enforce and administer the security of the system are part of this TCB. In addition, any file system object in the TOE (file, directory, device, etc.) can be marked with a TCB flag: FSF_TLIB. Alternatively, executables can be marked

(21)

with the FSF_TLIB_PROC flag. The TCB is subject to several bypass control mechanisms enforced by the TOE, such as additional access control and integrity protection. Changes to objects being flagged as TCB objects can only be made when the system is in configuration mode or when the system security flag (SSF) trustedlib_enabled is disabled.

The integrity of objects in the TCB database is verified at every system startup and at the request of an authorized administrator.

1.5.1.1.9 Trusted Execution (TE)

In addition to the TCB, the TOE also supports a more modern form of integrity protection by monitoring files for integrity violations at access. The Trusted Execution function allows the administrator to define system and user resources for which changes to the resource are checked at access time resulting in denied access when the resource has been modified therefore preventing the execution of trojaned programs or libraries as well as the use of configuration files that have been tampered with. The checking is based on verifying SHA-256 checksums. The interface for managing the trusted execution function is the trustchk command.

1.5.1.1.10 Networking

1.5.1.1.10.1 Protected remote access

The TOE supports IPsec for protected remote access connections. IPsec provides integrity and confidentiality of the transported data and is able to authenticate the end points.

1.5.1.1.10.2 IP filtering

The TOE supports IP filtering of packets flowing to and through the TOE. IP packet flow can be permitted or denied based on several criteria/rules including presumed source address, destination address, and destination ports. IP packet filtering includes time-based rules where packet flow can be permitted or denied for a limited period of time after which the rules change.

1.5.1.1.11 Workload Partitions (WPARs)

AIX supports virtual environments called Workload Partitions (WPARs) which provide virtual AIX environments within AIX. WPARs provide process isolation so that applications can be installed and tested in a virtual environment. AIX supports two types of WPARs: System WPARs and Application WPARs.

A System WPAR is a virtual AIX system with its own set of users, administrators, hostname, network addresses, process isolation, IPC isolation, and file system isolation. An Application WPAR is similar to a System WPAR except without file system isolation. With the advent of WPARs, the main AIX environment is now called the Global environment. Multiple WPARs can be created and executed within the Global environment by a system administrator.

1.5.1.1.12 Cryptographic Framework

AIX supports the AIX Cryptographic Framework (ACF). This framework is implemented by the AIX kernel and allows applications access to cryptographic hardware and software supported by the kernel while at the same time isolating applications from the cryptographic hardware and software. In the evaluated configuration, IBM's CLiC software is supported by ACF.

(22)

1.5.1.1.13 Mandatory access control (LAS mode only)

LAS mode provides full mandatory access control (MAC) for all objects on the system. Every file, directory, IPC object, and process on the system is given a sensitivity label (SL) which cannot be modified by an unprivileged process. Each user account is assigned a range of valid SLs, and the user can only operate on the TOE within that range. A process (or user) can only create objects at its current SL, and can only read and write objects subject to the MAC restrictions imposed by the system. It is not possible for unauthorized users to “downgrade” information or to bypass MAC restrictions by any utility or application on the system. Copies of a file, or portions of a file, created by any possible means, will always be protected at an SL at least as high as the original file.

1.5.1.1.14 Mandatory integrity control (LAS mode only)

LAS mode provides full mandatory integrity control (MIC) for all objects on the system. Every file, directory, IPC object, and process on the system is given an integrity label (TL) which cannot be modified by an unprivileged process. Each user account is assigned a range of valid TLs, and the user can only operate on the TOE within that range. A process (or user) can only create objects at its current TL, and can only read and write objects subject to the MIC restrictions imposed by the system. It is not possible for unauthorized users to "upgrade" integrity levels associated with data or to bypass MIC restrictions by any utility of application on the system. Copies of a file, or portions of a file, created by any possible means, will always be protected at a TL no greater than that of the original file.

1.5.1.1.15 Trusted Network (LAS mode only)

LAS mode provides export and import of labeled data via network interfaces and enforces mandatory access control for network traffic by means of Trusted Network (TN). TN provides two sets of networking rules: network interface and host filtering. Both types of networking rules determine what processing occurs on a packet before its transmission or when it is received. These rules apply sensitivity labels to packets and enforce MAC restrictions on packets according to those labels. TN network interface rules enforce packet label processing based on the physical network interface of the host. Host rules enforce packet label processing based on the source and destination IP addresses (with network masking allowed) of the packet, the source and destination ports of the request, and the protocol being used. Both types of rules provide several criteria for determining which packets to drop and which to pass.

1.5.1.2 VIOS

1.5.1.2.1 Identification & authentication

VIOS provides identification and authentication (I&A) based upon user passwords. The quality of the passwords used can be enforced through configuration options controlled by VIOS. VIOS uses a file-based database to store user I&A data.

VIOS supports both local and remote login. Remote login is supported through telnet.

All individual users are assigned a unique user identifier. This user identifier supports individual accountability. The TOE authenticates the claimed identity of the user before allowing the user to perform any further actions.

(23)

1.5.1.2.2 Discretionary access control

VIOS provides DAC between VIOS SCSI device drivers acting on behalf of LPAR partitions as subjects and logical/physical volumes as objects. It also provides DAC between VIOS Ethernet device drivers acting on behalf of groups of LPAR partitions sharing a virtual network and VIOS Ethernet adapter device drivers where one is the subject and the other is the object (the Ethernet packets cannot contain VLAN tags).

1.5.1.2.3 Role-based access control

VIOS includes an RBAC mechanism. VIOS RBAC roles are predefined collections of authorizations that can be assigned to users. The VIOS RBAC mechanism is built on the same mechanism used by AIX RBAC except that the role names and abilities are different. All users of VIOS are considered administrative users. Unlike AIX, there is no legacy VIOS RBAC mechanism.

In this document, the VIOS RBAC mechanism is sometimes referred to as VRBAC in order to make a clear distinction between the VIOS RBAC mechanism and the AIX RBAC mechanism when brevity is necessary.

1.5.1.2.4 Security management

VIOS uses roles to perform system/security management, but defines a separate set of roles for system management than those used by AIX. Each VIOS role has a set of commands available to it. Security parameters are stored in specific files that are protected by the access control mechanisms of the TOE against unauthorized access by users.

1.5.2 Software

The Target of Evaluation is based on the following system software:

● _{IBM AIX 7 for POWER V7.1 Standard Edition, Program Number 5765-G98, with Recommended}

Technology Package 7100-00-03.

● _{The Virtual I/O Server (VIOS) contained in IBM PowerVM Standard Edition Version 2.2.0.0,}

Program Number 5765-PVS.

The TOE documentation is supplied on CD-ROM.

Table 3 contains a list of LPPs / File Sets that comprise the TOE. For each of these “LPP Names” there may be multiple actual installable components with that prefix. An ‘X' means that the mode supports the LPP.

Description LPP Name

LAS Mode BAS Mode

AIX Base Operating System bos

X X

AIX supported devices devices

X X

AIX printer drivers and control files printers

X

System management tools sysmgt

X X

X Windows server, libraries, and applications. X11

X

Kerberos client (optional) krb5.client

X X

TDS (LDAP) client (optional) ldap.client

X X

(24)

Description LPP Name

LAS Mode BAS Mode

CLiC cryptographic module clic

X X

Table 3: List of LPPs / File sets

Table 4 contains the IBM PRPQ ordering information for the evaluated system.

Product ID PRPQ 5799-GWG P91209 Table 4: PRPQ table

1.5.3 Configurations

The evaluated configurations are defined as follows:

● _{Either the BAS installation mode or the LAS installation mode must be selected during}

installation time.

● _{If BAS mode is selected, RBAC must also be selected. (LAS mode includes RBAC.)} ● _{AIX 7.1 supports the use of IPv4 and IPv6. IPv6 conforms to [RFC2460]. Claims made by}

updates and enhancements to [RFC2460] were not considered by this evaluation.

● _{Only 64 bit architectures are included.}

● _{Web Based Systems Management (WebSM) is not included.}

● _{Both network (NIM, Network Install Manager) and CD installations are supported.}

● _{Only the default mechanism for identification and authentication and the LDAP authentication}

method configured for “UNIX-type” authentication are included. Support for other

authentication options, such as smartcard authentication, is not included in the evaluation configuration.

● _{If the system console is used, it must be connect directly to the workstation and afforded}

the same physical protection as the workstation.

● _{In BAS mode, AIX 7.1 provides both a native and a Sys5 print system. In LAS mode, printing}

must be disabled in the evaluated configuration.

● _{LAS Mode Only: System security flags (a.k.a. kernel security flags) need to be configured}

as identified in section 7.2.2.14.1 "TSF invocation guarantees (TP.1)".

● _{The system must be configured to disable remote access for an individual user after five}

consecutively failed login attempts have occurred for this user.

● _{If in BAS mode and if a windowing environment is used, the CDE file set must be selected}

at installation time.

● _{CLiC version 4.7.1 is included in the evaluated configuration. Only the cryptographic}

operations defined as CLiC operations in the FCS_CKM.*, FCS_COP.*, and FCS_RNG.* security functional requirements in chapter 6.1 were subject to evaluation.

● _{Dynamic Partitioning (Dynamic LPAR, DLPAR) is not supported in the evaluated configuration}

(i.e., the dynamic (de-) allocation of resources to a partition during operations is not allowed and must be prevented by organizational means in the Operational Environment).

(25)

● _{If the LDAP authentication method is used by the TOE, the network connection between the}

TOE and the LDAP server must be protected from modification and disclosure (e.g., by using SSL).

The TOE comprises one of the server machines (and optional peripherals) listed in section 1.5.3.2 "Technical environment for use" running the system software listed in Table 3 (a server running the above listed software is referred to as a “TOE server” below).

If the product is configured with more than one TOE server, they are linked by LANs, which may be joined by bridges/routers or by TOE workstations which act as routers/gateways or they connect using the Virtual Input/Output Server (VIOS).

If other systems are connected to the network they need to be configured and managed by the same authority using an appropriate security policy not conflicting with the security policy of the TOE.

1.5.3.1 File systems

The following file system types are supported:

● _{the AIX journaled file system (jfs2)}

● _{the High Sierra file system for CD-ROM drives (CDRFS)} ● _{the DVD-ROM file system (UDFS)}

● _{The process file system (PROCFS) (a.k.a. /proc), provides access to the process image of}

each process on the machine as if the process was a “file”. Process access decisions are enforced by MAC (LAS mode only), MIC (LAS mode only), and DAC attributes inferred from the underlying process's and user security attributes.

● _{the Network File System (NFS) V3 and V4} ● _{the Encrypted File System (EFS)}

● _{the Special File System (SPECFS)}

LAS Mode Note: CDRFS, UDFS, PROCFS, and (client-side) NFS are single level file systems. For

mandatory access control, the labels of their mount point apply to all objects in the mounted file system. Single level file systems are not subject to mandatory integrity control and TCB policies, and their objects cannot be associated with privileges.

1.5.3.2 Technical environment for use

The following assumptions about the technical environment the TOE is intended to be used in are made:

1. The TOE is running on the following hardware platforms:

● _{The TOE is running in an LPAR on an IBM System p POWER6 server.} ● _{The TOE is running in an LPAR on an IBM System p POWER7 server.}

2. The following peripherals can be run with the TOE preserving the security functionality:

● _{all terminals supported by the TOE}

● _{all storage devices and backup devices supported by the TOE (hard disks, CDROM}

drives, streamer drives, floppy disk drives)1

1 _{The system distinguishes between storage and backup devices. Storage devices are hardware devices holding parts of}

(26)

● _{all printer devices supported by the TOE (LAS mode must have printing disabled in}

the evaluated configuration)

3. Network connectors supported by the TOE (e.g., Ethernet) supporting TCP/IP services over the TCP/IP protocol stack.

4. NFSv4 supports the use of the IBM Network Authentication Service (NAS) v1.4, which is based on [RFC4120] (Kerberos Version 5), for aiding in establishing a trusted channel between NFSv4 clients and servers. NAS v1.4 is part of the Operational Environment. NAS v1.4 must be configured to use LDAP for its database.

1.5.3.2.1 LPAR environment

The logical partitioning capable System p POWER6 and POWER7 servers that represent the underlying hardware for the TOE support a logical partitioned environment that enables the System p POWER6 and POWER7 systems to run multiple logical partitions concurrently. In a logical partition, an operating system instance runs with dedicated resources: processors, memory, and I/O slots. These resources are statically assigned to the logical partition. The total amount of assignable resources is limited by the physically installed resources in the system. Because the implementation of logical partitioning is static, one has to shut down every operating system instance in all logical partitions to change the resource assignment of running logical partitions.

From a functional point of view, applications on top of an operating system are running inside partitions in the same way they run on a stand-alone System p machine. There are no issues when moving an application from a stand-alone server to a partition. Operating system software needs to be modified in some areas to call Hypervisor functions instead of native code. The design of partitioning-capable System p POWER6 and POWER7 servers is such that one partition is isolated from software running in the other partitions, including protection against natural software defects and even deliberate software attempts to break the partition barriers.

The logical resources of the underlying hardware that can be assigned to a partition are:

● _Processors

● _{Main memory regions}

● _{I/O slots}

The assignment of those resources to the individual logical partitions is stored in non-volatile RAM. This part of the NVRAM is maintained by a “Service Processor” and cannot be read or modified directly by the TOE running in a logical partition. The assignment itself is performed by a System Administrator, who uses a “Hardware Management Console” (HMC) to define those assignments. The HMC communicates with the service processor that accepts the commands from the HMC and sets the values to define the logical partitions in the non-volatile RAM (NVRAM) accordingly. A Run-Time Abstraction Layer (RTAS) provides an abstraction mechanism for platform service calls. The functions of the underlying LPAR architecture need to be used by different parts of the TOE. The following figure shows the parts of AIX that interact with the functions of the Operational Environment. Adaptations in AIX have been made to enable the TOE to interact in an LPAR specific way with the VMM, virtual TTY console, RTAS and kernel debugger.

Please note that the support of static LPARs does not introduce any additional security functionality for the TOE - the separation between partitions and protection of the TOE from operating systems running in other logical partitions on the same underlying machine is completely enforced by the underlying machine.

(27)

(28)

2 CC Conformance Claim

This ST is CC Part 2 extended and CC Part 3 conformant, with a claimed Evaluation Assurance Level of EAL4, augmented by ALC_FLR.3.

This ST claims conformance to the following Protection Profiles:

● _{[OSPP]: BSI Operating System Protection Profile. Version 2.0 as of 2010-06-01; strict}

conformance.

● _{[OSPP-AM]: BSI OSPP Extended Package - Advanced Management. Version 2.0 as of}

2010-05-28; strict conformance.

● _{[OSPP-CRYPTO]: BSI OSPP Extended Package - General Purpose Cryptography. Version 2.0}

as of 2010-05-28; strict conformance.

● _{[OSPP-IV]: BSI OSPP Extended Package - Integrity Verification. Version 2.0 as of 2010-05-28;}

strict conformance.

● _{[OSPP-LS]: BSI OSPP Extended Package - Labeled Security. Version 2.0 as of 2010-05-28;}

strict conformance.

● _{[OSPP-VIRT]: BSI OSPP Extended Package - Virtualization. Version 2.0 as of 2010-05-28;}

strict conformance.

Common Criteria [CC] version 3.1 revision 3 is the basis for this conformance claim.

2.1 Protection Profile tailoring and additions

2.1.1 BSI Operating System Protection Profile ([OSPP])

[OSPP] applies to AIX and Trusted AIX (i.e., BAS mode and LAS mode). The following SFR name modifications have been made to [OSPP]:

Rationale Hierarchical substitution Iteration To From

Iteration is required because the ST defines FAU_GEN.1(LS).

X FAU_GEN.1(BASE)

FAU_GEN.1

Iteration is required because the ST defines FAU_SEL.1(LS).

X FAU_SEL.1(BASE)

FAU_SEL.1

The TOE supports two different PSO policies.

X FDP_ACC.1(PSO-AIXC), FDP_ACC.1(PSO-NFS) FDP_ACC.1(PSO)

X FDP_ACF.1(PSO-AIXC),

FDP_ACF.1(PSO-NFS) FDP_ACF.1(PSO)

Iteration is required because [OSPP-VIRT] contains

FDP_ITC.2(VIRT). X

FDP_ITC.2(BASE) FDP_ITC.2

Iteration is required because VIOS defines FIA_SOS.1(VIOS).

X FIA_SOS.1(BASE)

(29)

Rationale Hierarchical substitution Iteration To From

AIX & Trusted AIX support the more restrictive FIA_UID.2. Iteration is required because VIOS defines FIA_UID.2(VIOS).

X X

FIA_UID.2(BASE) FIA_UID.1

Iteration is required because VIOS defines FMT_SMF.1(VIOS).

X FMT_SMF.1(BASE)

FMT_SMF.1

X FMT_MSA.1(PSO-AIXC), FMT_MSA.1(PSO-NFS) FMT_MSA.1(PSO)

X FMT_MSA.3(PSO-AIXC), FMT_MSA.3(PSO-NFS) FMT_MSA.3(PSO)

AIX & Trusted AIX support the more restrictive FMT_SMR.2.

X FMT_SMR.2

FMT_SMR.1

Iteration is required because [OSPP-LS] contains FPT_TDC.1(LS). X

FPT_TDC.1(BASE) FPT_TDC.1

Table 5: SFR name modifications to [OSPP]

2.1.2 BSI OSPP Extended Package - Advanced Management

([OSPP-AM])

[OSPP-AM] applies to AIX and Trusted AIX (i.e., BAS mode and LAS mode).

2.1.3 BSI OSPP Extended Package - General Purpose Cryptography

([OSPP-CRYPTO])

[OSPP-CRYPTO] applies to AIX and Trusted AIX (i.e., BAS mode and LAS mode).

2.1.4 BSI OSPP Extended Package - Integrity Verification ([OSPP-IV])

[OSPP-IV] applies to AIX and Trusted AIX (i.e., BAS mode and LAS mode).

2.1.5 BSI OSPP Extended Package - Labeled Security ([OSPP-LS])

[OSPP-LS] applies to Trusted AIX (i.e., LAS mode).

2.1.6 BSI OSPP Extended Package - Virtualization ([OSPP-VIRT])

(30)

3 Security Problem Definition

3.1 Threat Environment

All threats and environmental threats refer to AIX (BAS mode) and Trusted AIX (LAS mode) unless otherwise stated. All threats and environmental threats for VIOS are explicitly marked as VIOS

only. VIOS does not share threats or environmental threats with either AIX or Trusted AIX.

The threat agents and assets are defined by the protection profile and extended packages to which this document conforms and apply to AIX, Trusted AIX, and VIOS.

3.1.1 Threats countered by the TOE

[OSPP]_T.ACCESS.TSFDATA

A threat agent might read or modify TSF data without the necessary authorization when the data is stored or transmitted.

[OSPP]_T.ACCESS.USERDATA

A threat agent might gain access to user data stored, processed or transmitted by the TOE without being appropriately authorized according to the TOE security policy.

[OSPP]_T.ACCESS.TSFFUNC

A threat agent might use or modify functionality of the TSF without the necessary privilege to grant itself or others unauthorized access to TSF data or user data.

[OSPP]_T.ACCESS.COMM

A threat agent might access a communication channel that establishes a trust relationship between the TOE and another remote trusted IT system or masquerade as another remote trusted IT system.

[OSPP]_T.RESTRICT.NETTRAFFIC

A threat agent might get access to information or transmit information to other recipients via network communication channels without authorization for this communication attempt by the information flow control policy.

[OSPP]_T.IA.MASQUERADE

A threat agent might masquerade as an authorized entity including the TOE itself or a part of the TOE in order to gain unauthorized access to user data, TSF data, or TOE resources.

[OSPP]_T.IA.USER

A threat agent might gain access to user data, TSF data or TOE resources with the exception of public objects without being identified and authenticated.

[OSPP-AM]_T.ROLE.SNOOP

An attacker might obtain the rights granted to a role that was delegated to another user.

[OSPP-AM]_T.ROLE.DELEGATE

An attacker might delegate rights granted to a role that he does not possess or that he is not allowed to delegate.

IBM AIX 7 for POWER V7.1 Technology level with optional IBM Virtual I/O Server V2.2 Security Target with BSI OSPP Compliance.

V2.2 Security Target with BSI OSPP Compliance

1.8

Version:

Release

Status:

2012-08-15

Last Update:

Trademarks

Legal Notice

Revision History

Table of Contents

List of Tables

List of Figures

1 Introduction

1.1 Security Target Identification

1.2 TOE Identification

1.3 TOE Type

1.4 TOE Overview

1.4.1 Required and optional non-TOE software/hardware/firmware

1.4.1.1 Software

1.4.1.2 Hardware/Firmware

1.4.2 Intended method of use

1.4.3 Major security features

1.5 TOE Description

1.5.1 Summary of security features

1.5.1.1 AIX

1.5.1.2 VIOS

1.5.2 Software

1.5.3 Configurations

1.5.3.1 File systems

1.5.3.2 Technical environment for use

2 CC Conformance Claim

2.1 Protection Profile tailoring and additions

2.1.1 BSI Operating System Protection Profile ([OSPP])

2.1.2 BSI OSPP Extended Package - Advanced Management

([OSPP-AM])

2.1.3 BSI OSPP Extended Package - General Purpose Cryptography

([OSPP-CRYPTO])

2.1.4 BSI OSPP Extended Package - Integrity Verification ([OSPP-IV])

2.1.5 BSI OSPP Extended Package - Labeled Security ([OSPP-LS])

2.1.6 BSI OSPP Extended Package - Virtualization ([OSPP-VIRT])

3 Security Problem Definition

3.1 Threat Environment

3.1.1 Threats countered by the TOE